How Graneth protects your code, your secrets, and your scan data.
Graneth observes, scores, and reports — it never blocks a merge or writes to your default branch until you promote a policy to enforcement. You earn trust before you grant control.
Per-IP and per-token bucket limiting on every endpoint to absorb abuse and protect upstream APIs.
Inbound GitHub webhooks are verified with constant-time HMAC-SHA256 signatures before any handler runs.
Cross-origin requests are restricted to an explicit origin allowlist — no wildcard reflection.
Every input is parsed against a Zod schema. Malformed payloads are rejected at the edge.
Each MCP tool call is authorized against role-based access control before it can read code or post findings.
Untrusted code and PR text are wrapped and screened so injected instructions can't steer the analyzer.
Secrets and tokens are encrypted at rest; API keys are stored hashed and shown only once.
Tenant isolation is enforced in the database with row-level security — not just in app code.